I'm a little confused about how you have this rule setup. It sounds like you have the userID and the updatable variable held in the session after the index page. Are you basing the access rule on these session variables? You mention that the access rule looks at the recordset, this is usually not the way you should have the access rules setup. If you are referencing recordset values in your access rule this could be the reason for it not working as the recordset values have limited scope and are only available on the page that the recordset was created on.
If your access rules are based on session variables one way to check on the status of these variables is to dump the contents of the session array, in PHP you can do that by adding this code:
<?php
print("<pre>");
var_dump($_SESSION);
print("</pre>");
?>
If you place this code into your page just before the display areas you should see what the values of the session variables are. If you continue to have trouble with this post back with the results you get and any other info along with how the rules are setup specifically in the access rules manager.